Cisco-Sourcefire Integration Takes Shape

When Cisco acquired Sourcefire last year for $2.7 billion, there were a lot of questions about how the networking giant would integrate the IPS vendor's technology into its portfolio. On Monday, Cisco began filling in the blanks by unveiling the first phase of its integration efforts.

The integration includes adding Sourcefire's Advanced Malware Protection (AMP) technology into its email and Web security appliances, as well as its Cloud Web Security Service. Cisco also announced additions to the FirePower network security appliance line it acquired from Sourcefire, and expanded its open source efforts by adding open source application detection functionality into the Snort engine. Snort is the open source IDS engine created by Martin Roesch before he founded Sourcefire.

At a media event in San Francisco as RSA Conference 2014 was kicking off, Chris Young, senior vice president of the Cisco Security Business Unit, called the Sourcefire integration a "new security model" that reflects the need for pervasive protection before, during and after an attack.

"You're always being attacked in today's world," he said. "We have to operate knowing that we're always under attack."

AMP uses a combination of file reputation, sandboxing, and a technique called file retrospection for analyzing threats that have made it into the network. File retrospection monitors and tracks user devices that have been exposed to malware so that a company can take steps to remediate the problem.

Rick Holland, principal analyst at Forrester Research, said the integration of AMP into Cisco's content security products and services bolsters the company's position in the anti-malware space.

"Prior to the acquisition of the Sourcefire, Cisco didn't have as competitive of an anti-malware story. I actually think that AMP will be one of the most beneficial aspects of the acquisition," he said in an email interview.

For customers considering competing products such as FireEye, Cisco can counter with its integrated products, he said.

"This reduces operational friction for enterprises by avoiding the deployment of 'yet another point product' into an environment," he said. "Being able to take advantage of integrated capabilities gives companies flexibility to allocate their limited resources where they will have the most impact."

AMP will be available as a license option for Cisco's Web and email security appliances and cloud service.

The new FirePower 8300 series targets datacenter and core networks with a performance boost. Cisco said it provides 50% increase in throughput and up to four of the appliances can be stacked for 120Gbps throughput. FirePower devices start with IPS functionality and customers can add on next-generation firewall and AMP functionality.

Cisco said the addition of open source application detection and control to Snort, through its new OpenAppID language, will give users the ability to create custom app detection and control for their unique environments.

Roesch -- who is now a vice president and chief security architect at Cisco -- said that it will essentially allow users to "build open source next-generation firewalls." Next-generation firewalls allow users to write controls around applications, such as allowing users to run Gmail with two-factor authentication, but not another email program, he said at Monday's event.

Cisco said the OpenAppID preprocessor included in its special release of the Snort engine, as well as a future general Snort release, includes support for application detection on the network and blocking of apps by policy. The company is offering a library of more than 1,000 OpenAppID detectors through the Snort project.

Roesch said OpenAppID shows Cisco's commitment to open source, something it wasn't known for in the past. The company understands the open source community is a powerful way to develop software, he said, adding, "Cisco has picked it up and started running with it."

Cisco on Monday didn't reveal any details about future integration efforts to address technology overlap questions from the Sourcefire deal. Cisco has its own intrusion-prevention products.

Forrester's Holland said he likes the integration of AMP into Cisco's email and Web appliances, but it's too early to say how Cisco is doing with the Sourcefire integration overall.
"We don't know the full story yet," he said. "Once we know what the firewall/NGFW/IPS roadmap is going to look like, we will be better positioned to evaluate the overall integration of the two organizations."
Marcia Savage is the managing editor for Network Computing, and has been covering technology for 15 years. She has written and edited for CRN and spent several years covering information security for SC Magazine and TechTarget. Marcia began her journalism career in daily ... View Full Bio